What is SMS-based authentication and how does it work?

SMS-based authentication is a method used to verify a user's identity by sending a one-time passcode (OTP) via SMS to their registered phone number. The user then enters this code into the authentication system to gain access. This method is commonly used in two-factor authentication (2FA) and multi-factor authentication (MFA) setups.

There are two primary types of SMS-based authentication:

• Single-Factor Authentication (SFA): Users log in using an SMS OTP instead of a traditional password.
• Two-Factor Authentication (2FA): Users first enter their password and then verify their identity using an SMS OTP.

1. A user attempts to log in or perform a sensitive action.
2. The system sends an OTP via SMS to the user's registered phone number.
3. The user retrieves the OTP from their SMS inbox and enters it into the application.
4. If the OTP matches the expected value, authentication is successful.

Despite its widespread adoption, SMS-based authentication has significant downsides:

• Security Risks:

  • SMS Traffic Pumping: Attackers exploit SMS billing systems to generate fraudulent messages, increasing costs for businesses.
  • SIM Swapping: Hackers transfer a victim's phone number to a new SIM card to intercept OTPs.
  • Phishing Attacks: SMS-based authentication is susceptible to phishing attempts where users are tricked into revealing their OTP.

• High Costs:

  • Businesses pay for each authentication SMS sent, often costing $0.01–$0.20 per message.
  • Large-scale deployments can incur millions of dollars in annual SMS costs.

• Poor User Experience (UX):

  • Desktop users must manually enter SMS OTPs from their mobile phones, creating friction.
  • SMS delivery failures and delays can frustrate users and lead to login abandonment.

To address these challenges, passkeys provide a phishing-resistant, cost-effective, and user-friendly alternative to SMS-based authentication. By using public-key cryptography, passkeys eliminate the need for passwords and SMS OTPs, reducing fraud risk while significantly improving the user experience.

For enterprises looking to reduce authentication costs and enhance security, switching from SMS-based authentication to passkeys is a future-proof strategy.